Please note that this would not have crashed "x-sendfile-docroot"
were set to restrict the locations of files that can be sent via
X-Sendfile. If users are untrusted, "x-sendfile" should not be
enable without also configuring "x-sendfile-docroot"
"Server Aborted due to Malicious Data sent through CGI Sendfile"
mbedtls does not provide a callback for ALPN and expects certificate to
be set in SNI callback (if set), while still in MBEDTLS_SSL_CLIENT_HELLO
state. Waiting until after MBEDTLS_SSL_CLIENT_HELLO would be fine for
using ALPN for "h2", but is too late to set acme-tls/1 challenge cert.
Therefore, parse client hello for ALPN prior to initiating mbedtls
processing of handshake.
recognize and translate a common recommended cipherstring
without CBC ciphers reported as weak by SSLLabs)
tighten struct data_config and config_cond_info
create config key at startup and reuse for debug/trace
separate routine for configparser_parse_condition()
separate routine for configparser_parse_else_condition()
also adjust time_t comparison to (pc_stapling_nextts > cur_ts + 256)
(time_t is expected to be signed integral type, but might be unsigned)
"OCSP Stapling reload seems not to work"
con->is_readable and con->is_writable might be set to -1 by TLS modules
which encounter SSL_WANT_READ or SSL_WANT_WRITE. Either might occur
during read or write, and so -1 was used to flag this.
However, code which used con->is_readable and con->is_writable now needs
to check for value > 0 rather than treating value as a boolean.
flagged by coverity
final segment of colon (':') separated string was being ignored
in some TLS config strings in mod_gnutls and mod_mbedtls
workaround: add ':' at end of config string (or apply this patch)